In order to protect network and regulate network traffic, state-of-arts network devices enforce network policy on network traffic. A network policy describes how a network device shall operate, and apply restrictions to different types of network traffic, sources, destinations and traffic content. A network policy can be created by using an Internet Protocol address or/and a domain name. The two communication methods to enforce network policies are overriding routing table used in routers and content examination by proxy server. When there are many network devices, there may be many network policies to manage and store.
A router uses a routing table to determine how to forward network traffic. The router implements an overriding routing table to override the routes established or recorded in the routing table in order to execute network policies. At a router, network policies are based on Internet Protocol (IP) address, not domain name. A router examines the IP address of a packet to check whether the IP address has been specified in the overriding routing table. If so, the packet will be routed according to the network policies stated in the overriding routing table. If not, the packet will be routed according to the routing table. The benefit of using overriding routing table is its simplicity to enforce network policies. The disadvantage of using overriding routing table is its inflexibility to use domain name to enforce network policies.
For the state-of-art routers, if a network administrator tries to have a routing policy using a domain name, the network administrator has to look up the corresponding IP address of the domain name first, and then creates a routing policy at the state-of-art router using the IP address. The possible combination of subdomain and host name is almost unlimited. This method is labour intensive and subject to human error.
A proxy server may examine contents passing through it. If the proxy server finds the contents satisfying the conditions of a routing policy after examining the contents, the proxy server then takes corresponding network traffic routing actions against the contents and network traffic, such as filtering, blocking and/or forwarding. Some common methods used for content examination include: Uniform Resource Locator (URL) or Domain Name System (DNS) blacklists, URL regex filtering, Multipurpose Internet Mail Extensions (MIME) filtering, or content keyword filtering. Some proxy servers designed for handling web traffic have been known to employ content analysis techniques to look for traits commonly used by certain types of content providers. The administrator may supply many combinations of URL, domain names, IP addresses, keywords and etc. to create network traffic routing policies. The benefits for using proxy server include the flexibility to use domain name to create network traffic routing policies. One of the disadvantages of using proxy server is the network traffic throughput limitation as proxy server in general uses more processing power and storage. Another disadvantage of using proxy server is that proxy server is application specific. For some application like Security Sockets Layer, a totally transparent proxy server is difficult to exist and may be vulnerable to man-in-the-middle attack.
Therefore, it is desirable to allow router to use domain name based network policy for routing. As one administrator may manage many routers and many domain name based network policies, domain name based network policies may be stored in a device different from the routers. However, allowing such domain name based network policy in a router by implementing how proxy server examining contents increases the complexity and computing resource requirements of a router.    PTL 0001: U.S. Pat. No. 7,984,493 (ALCATEL-LUCENT). Jul. 22, 2005.
disclosed a method and a system to detect and confine network malicious activities originating from a local host on a local network to a remote host outside of the local network using a local DNS server for receiving from the local host a request for a connection to the remote host, completing a DNS look-up to obtain the IP address of the remote host, and generating a conformity indication; and a local enforcement unit connected between the local network and the remote host, for blocking establishment of the connection by default, until it receives the conformity indication. Unlike U.S. Pat. No. 7,984,493, this invention does not require the need to have a local DNS server and does not solely provide blocking capability. Therefore U.S. Pat. No. 7,984,493 does not disclose any details for a notional person skilled in the art to carry out this invention and does not prompt a notional person skilled in the art to modify U.S. Pat. No. 7,984,493 to arrive at something falling within the terms of the claims of this invention.    PTL 0002: U.S. Pat. No. 7,743,158 (NTT DOCOMO INC.). Apr. 12, 2002.
disclosed a method and a system for a network edge, device to integrate the domain name filtering into security policy of the network edge device by using personal filter and service filter. Unlike U.S. Pat. No. 7,743,158, this invention does not use personal filter and does not involved the integration of personal filter and service filter. Therefore U.S. Pat. No. 7,743,158 does not disclose any details for a notional person skilled in the art to carry out this invention and does not prompt a notional person skilled in the art to modify U.S. Pat. No. 7,743,158 to arrive at something falling within the terms of the claims of this invention.
A domain name may be a host name if it has been assigned with an Internet host and associated with the host's IP address. A host name is a domain name that has at least one associated IP address. For example, the domain name “example.com” could also be a host name if an IP addresses is associated. The definitive descriptions of the rules for forming domain names appear in RFC 1035, RFC 1123, and RFC 2181 published by Internet Engineering Task Force.